b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 While the Data Loss Prevention Solution Is\n                 Being Developed, Stronger Oversight and\n                  Process Enhancements Are Needed for\n                   Timely Implementation Within Budget\n\n\n\n                                     September 22, 2014\n\n                             Reference Number: 2014-20-087\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\nRedaction Legend:\n1 \xe2\x80\x93 Tax Return/Return Information\n3 = Other Identifying Information\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                HIGHLIGHTS\n\n\nWHILE THE DATA LOSS PREVENTION                      Personally Identifiable Information and data that\nSOLUTION IS BEING DEVELOPED,                        should not be exiting IRS networks.\nSTRONGER OVERSIGHT AND PROCESS                      Based on its new projected implementation date\nENHANCEMENTS ARE NEEDED FOR                         of December 31, 2014, the IRS will have taken\nTIMELY IMPLEMENTATION WITHIN                        more than four years to build and develop its\nBUDGET                                              DLP solution. Because of the length of time\n                                                    taken, TIGTA believes that stronger\n                                                    management oversight is needed to ensure that\nHighlights                                          the DLP solution meets its new implementation\n                                                    date within budget. In addition, the IRS could\nFinal Report issued on                              not provide support to validate SPIIDE Project\nSeptember 22, 2014                                  spending, which it reports to be more than\n                                                    $9.6 million of the $11.4 million budgeted\nHighlights of Reference Number: 2014-20-087         through Fiscal Year 2014.\nto the Internal Revenue Service Chief               Lastly, DLP solution processes and procedures\nTechnology Officer.                                 can be enhanced while the DLP solution is still\nIMPACT ON TAXPAYERS                                 being developed. While TIGTA determined that\n                                                    the DLP Operations team correctly classified\nThe protection of sensitive and personal            99 (94 percent) of 105 sampled e-mail events,\ninformation is more important than ever with        TIGTA also found that 17 (57 percent) of the\nelectronic communications becoming                  30 appropriately classified e-mail events were\nincreasingly prevalent. Safeguarding Personally     potential incidents that were not forwarded to all\nIdentifiable Information in the possession of the   appropriate incident responders. These\nIRS is essential to retaining the trust of          incidents should have been forwarded to and/or\ntaxpayers.                                          accepted by the Office of Privacy, Governmental\n                                                    Liaison, and Disclosure. That office should have\nWHY TIGTA DID THE AUDIT                             then advised the affected parties of the\nThis audit is included in our Fiscal Year 2014      disclosure and offered credit monitoring services\nAnnual Audit Plan and addresses the IRS major       in 11 of the 17 potential incidents.\nmanagement challenge of Security of Taxpayer        WHAT TIGTA RECOMMENDED\nData and Employees. The overall objective was\nto determine whether the Safeguarding               TIGTA recommended that the Chief Technology\nPersonally Identifiable Information Data Extracts   Officer ensure that the SPIIDE Project team\n(SPIIDE) Project is developing a data loss          reconciles the DLP solution funding and\nprevention (DLP) and protection solution for        expenses and resolves discrepancies identified\nimplementation in accordance with applicable        during the audit. TIGTA also recommended that\npolicies and procedures and within budget to        the Director, Privacy, Governmental Liaison, and\nsafeguard sensitive taxpayer data.                  Disclosure, revise the disclosure acceptance\n                                                    criteria to ensure that all potential Personally\nWHAT TIGTA FOUND                                    Identifiable Information disclosure incidents are\nThe SPIIDE Project team is progressing in its       reported.\ndevelopment and implementation of the DLP           In their response, IRS management agreed with\nsolution. The team has completed key required       all but two recommendations. The IRS partially\nenterprise life cycle deliverables and has been     agreed with one recommendation and disagreed\nidentifying and addressing security weaknesses      with the recommendation to revise its disclosure\nas they are detected. Notwithstanding these         acceptance criteria. TIGTA agrees with the\nachievements, the SPIIDE Project team               rationale for the partial agreement, but believes\ncontinues to face challenges to timely implement    that the acceptance criteria should be revised to\nthe DLP solution to protect from disclosing         protect against disclosures.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 22, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 While the Data Loss Prevention Solution Is Being\n                             Developed, Stronger Oversight and Process Enhancements Are Needed\n                             for Timely Implementation Within Budget (Audit # 201420024)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s data loss\n prevention solution. The overall objective of this review was to determine whether the\n Safeguarding Personally Identifiable Information Data Extracts Project is developing a data loss\n prevention and protection solution for implementation in accordance with applicable policies and\n procedures and within budget to safeguard sensitive data. This audit is included in our Fiscal\n Year 2014 Annual Audit Plan and addresses the major management challenge of Security for\n Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response is included in Appendix VI.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. If you have any questions, please contact me or Kent Sagara, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                        While the Data Loss Prevention Solution Is Being Developed,\n                               Stronger Oversight and Process Enhancements\n                           Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Stronger Management Oversight Is Needed to Ensure\n          That the Data Loss Prevention Solution Meets Its\n          New Implementation Date Within Budget ................................................... Page 3\n                    Recommendations 1 through 4:......................................... Page 11\n\n                    Recommendation 5:........................................................ Page 12\n\n          Data Loss Prevention Solution Processes and Procedures\n          Can Be Enhanced .......................................................................................... Page 12\n                    Recommendations 6 and 7: .............................................. Page 19\n\n                    Recommendations 8 through 10: ....................................... Page 20\n\n                    Recommendations 11 and 12: ........................................... Page 21\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 22\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 24\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 25\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 26\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 27\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 32\n\x0c         While the Data Loss Prevention Solution Is Being Developed,\n                Stronger Oversight and Process Enhancements\n            Are Needed for Timely Implementation Within Budget\n\n\n\n\n                       Abbreviations\n\nCSIRC            Computer Security Incident Response Center\nDAR              Data-at-Rest\nDIM              Data-in-Motion\nDIU              Data-in-Use\nDLP              Data Loss Prevention\nIFS              Integrated Financial System\nIPS              Integrated Procurement System\nIRM              Internal Revenue Manual\nIRS              Internal Revenue Service\nOMB              Office of Management and Budget\nOPR              Office of Professional Responsibility\nOps              Operations\nPGLD             Privacy, Governmental Liaison, and Disclosure\nPII              Personally Identifiable Information\nSBU              Sensitive But Unclassified\nSPIIDE           Safeguarding Personally Identifiable Information Data Extracts\nSSN              Social Security Number\nTIC              Trusted Internet Connection\nTIGTA            Treasury Inspector General for Tax Administration\nTIN              Taxpayer Identification Number\n\x0c                     While the Data Loss Prevention Solution Is Being Developed,\n                            Stronger Oversight and Process Enhancements\n                        Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                            Background\n\nThe protection of sensitive and personal information is more important than ever with electronic\ncommunications becoming increasingly prevalent. Safeguarding Personally Identifiable\nInformation (PII) in the possession of the Federal Government and preventing its breach are\nessential to retaining the trust of the American public. This responsibility is shared by officials\naccountable for administering operational, privacy, and security programs. PII is any\ninformation that, by itself or in combination with other information, may be used to uniquely\nidentify an individual. For the Internal Revenue Service (IRS), PII primarily consists of Social\nSecurity Numbers (SSN), names, addresses, dates and places of birth, bank account numbers,\ne-mail addresses, telephone numbers, and mother\xe2\x80\x99s maiden names. The Office of Management\nand Budget (OMB) and the Department of the Treasury (Treasury) Chief Information Office\nreleased several memoranda to address the issue of safeguarding PII across all Federal agencies.\nIn a February 2011 report,1 the Treasury Inspector General for Tax Administration (TIGTA)\nreported that the IRS had not implemented a recommended enterprise data leakage prevention\nsystem before approving the Secure Email With Taxpayers program because the IRS, along with\nthe Treasury, determined the data loss prevention solutions in the marketplace, at that time, were\nnot mature or robust enough to address the IRS\xe2\x80\x99s needs. In addition, the report linked the\nimportance of the recommended data leakage system with the Administration\xe2\x80\x99s Trusted Internet\nConnection (TIC)2 initiative, which is one of three priorities to improve cybersecurity and the\nsecurity of Federal information systems. The TIC initiative aims to improve agencies\xe2\x80\x99 security\nposture and incident response capabilities through enhanced monitoring and situational\nawareness of all external network connections.\nIn response to the OMB memoranda, the IRS Cybersecurity\xe2\x80\x99s Architecture and Implementation\nBranch is leading the Safeguarding Personally Identifiable Information Data Extracts (SPIIDE)\nProject to promote secure practices in electronic communications (e-mails and Internet access)\non the IRS network to protect Sensitive But Unclassified (SBU) data. Taking a phased approach,\nthe SPIIDE Project team plans to build a system environment to implement the Symantec\xe2\x80\x99s Data\nLoss Prevention (DLP) commercial off-the-shelf software solution that is capable of identifying\nand tracking a number of the IRS\xe2\x80\x99s defined PII datasets. The DLP solution is designed to give\nthe IRS an enterprise view into where its most sensitive data are stored, who has access to the\ndata, and where and by whom the data are sent to outside the IRS network. By using this\ninformation, the IRS can spot broken business processes and reduce the overall risk of exposure.\nThe DLP solution is a system that will take a data-centric approach to security, in which policies\n\n1\n  Treasury Inspector General for Tax Administration, Ref. No.2011-20-012, Additional Security Is Needed for the\nTaxpayer Secure E-Mail Program p. 5 (Feb. 2011).\n2\n  See Appendix V for a glossary of terms.\n                                                                                                          Page 1\n\x0c                  While the Data Loss Prevention Solution Is Being Developed,\n                         Stronger Oversight and Process Enhancements\n                     Are Needed for Timely Implementation Within Budget\n\n\ncan be developed around the content that should be protected and then deployed across multiple\ndata states or functionalities, such as identifying, monitoring, and preventing. The DLP solution\nconsists of three components: Data-in-Motion (DIM), Data-at-Rest (DAR), and Data-in-Use\n(DIU).\n   \xef\x82\xb7   The DIM monitors data moving across the IRS\xe2\x80\x99s information technology perimeter and\n       identifies PII in e-mails and attachments that are in the process of being sent from the\n       IRS. Once identified, the system can prevent inappropriate dissemination of the PII\n       based upon policy. While the system is being developed, the SPIIDE Project team will\n       not prevent e-mails from being sent out until the DIM capability is fully implemented and\n       National Treasury Employees Union (hereafter referred to as Union) negotiations are\n       completed. The IRS plans to implement only the DIM component in its initial release.\n   \xef\x82\xb7   The DAR discovers and identifies PII residing across the IRS\xe2\x80\x99s vast information\n       technology infrastructure and determines whether it has adequate protection. The DAR\n       scans PII stored on network databases, storage devices, and SharePoint sites. The DAR\n       is scheduled for implementation in Release 2.\n   \xef\x82\xb7   The DIU monitors data being created and manipulated on users\xe2\x80\x99 workstations and\n       prevents the unintended or malicious distribution, storage, or alteration. The DIU,\n       installed on users\xe2\x80\x99 laptops, identifies PII that is stored on thumb drives and compact disks\n       as well as in e-mails. The DIU tags PII in e-mails as it is being typed and is more\n       preventive rather than reactive when compared to the DIM. The DIU is scheduled for\n       implementation in Release 3.\nThis review was performed at the Information Technology organization\xe2\x80\x99s Cybersecurity office in\nNew Carrollton, Maryland, during the period December 2013 through June 2014. We conducted\nthis performance audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                Results of Review\n\nThe SPIIDE Project team is progressing in its development and implementation of the DLP\nsolution. They have completed key required enterprise life cycle deliverables through the current\nmilestone and have been identifying and addressing security weaknesses as they are identified,\nsuch as defining user roles and responsibilities to ensure that separation of duties exists and\ncreating individual user accounts with minimum required privileges rather than the team using\nthe default administrator account that provided privileged accesses and permissions to the\nsystem. The SPIIDE Project team has also conducted several e-mail monitoring tests of the DLP\nsolution to determine whether the system is identifying disclosures of PII as expected and is\nupdating the policy to reduce the number of false positives.\nThe IRS paid more than $3.7 million to purchase user seat licenses and maintenance for the DLP\nsolution for use by all of the Treasury. This amount was far less than the initial bid of\n$5.9 million for licenses and maintenance that Symantec offered the IRS for the same number of\nusers, despite not effectively using all of them. Specifically, the IRS bought 110,000 individual\nuser seat licenses and maintenance for the DIM component it is developing and the other two\nDLP solution components (the DIU and the DAR) that are not scheduled for implementation. In\naddition, the IRS bought 30,000 individual user seat licenses and maintenance for all three DLP\nsolution components for the Treasury to use, although to date only two agencies have inquired\nabout the licenses and none have requested to use them. According to the new executive\nassigned to the SPIIDE Project, the reason for the limited use is that other agencies within the\nTreasury have run into similar development and implementation challenges as those experienced\nby the IRS. The IRS is now providing guidance to the other agencies in the Treasury and\ninstituting a process that can be repeated for future implementation of the remaining DLP\nsolution components. For example, the IRS is considering adding policies to the DLP solution\nthat will include identifying bank account numbers that are leaked from its networks.\nNotwithstanding the above achievements, the SPIIDE Project team continues to face challenges\nto timely implement the DLP solution to protect PII from disclosure and loss of data. Stronger\nmanagement oversight is needed to ensure that the DLP solution meets its new implementation\ndate within budget. In addition, DLP solution processes and procedures can be enhanced to\nimprove the effectiveness of the DLP solution.\n\nStronger Management Oversight Is Needed to Ensure That the Data\nLoss Prevention Solution Meets Its New Implementation Date Within\nBudget\nBased on its new projected implementation date, the IRS will have taken more than four years to\nbuild and develop the DLP solution and implement one (the DIM) of the three components to\n                                                                                          Page 3\n\x0c                     While the Data Loss Prevention Solution Is Being Developed,\n                            Stronger Oversight and Process Enhancements\n                        Are Needed for Timely Implementation Within Budget\n\n\nprotect PII since the SPIIDE Project was first chartered in March 2010. In a February 2011\nTIGTA report, the IRS planned to fully implement the DLP solution in April 2012 and later\nchanged the date to July 2012. In April 2013, the SPIIDE Project team requested and received\nExecutive Steering Committee approval to rebaseline the implementation of the DLP solution by\nDecember 31, 2014. Because of the length of time taken to implement the DLP solution, we\nbelieve that the IRS is at risk of not fulfilling a recommended DLP solution capability, which is\nincluded in the Administration\xe2\x80\x99s TIC initiative for improving cybersecurity and the security of\nFederal information systems.\n\nManagement control challenges have affected the implementation of the\nDLP solution\nThe SPIIDE Project team has and continues to face challenges to timely implement the DLP\nsolution. These challenges include insufficient funding and dedicated resources, changes in\nproject leadership and lack of experience, and project administration and execution issues with\nthe development and implementation of the DLP solution.\n    \xef\x82\xb7   The DLP solution continues to compete for limited IRS information technology program\n        funding and resources with other higher priority projects and initiatives, such as the\n        Affordable Care Act,3 the Customer Account Data Engine 2, and each annual filing\n        season from 2012 through 2014. As a result of the funding and resource demands: 1) the\n        SPIIDE Project team lost a project manager and two of four contracted subject matter\n        experts; 2) the development, integration, and test environment was not initially funded\n        and delayed the start of the DLP solution pilot by nine months; and 3) functions in the\n        IRS Information Technology organization were delayed in reviewing architecture plans\n        and performing operational implementation maintenance and work, e.g., system\n        administrators were not readily available to replace and test a computer motherboard that\n        crashed, on the DLP solution.\n    \xef\x82\xb7   The SPIIDE Project team lacked consistent leadership, team members, and experience in\n        developing and implementing the DLP solution. The DLP solution has had at least\n        three project managers during its development. In addition, we reviewed the SPIIDE\n        Project team\xe2\x80\x99s list of lessons learned, which indicated issues with stakeholder\n        communications, the need for longer commitments from team members, team members\xe2\x80\x99\n        limited knowledge of the enterprise life cycle process and requirements management,\n        inadequate relationships with process owners, poor planning when requesting necessary\n        equipment, and insufficient lead time for contractors to obtain background clearances.\n        For example, beginning in February 2011, the SPIIDE Project team experienced\n        approximately a five-month delay with contract negotiations and waiting for contractor\n\n\n3\n Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as\namended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n                                                                                                          Page 4\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\n       background clearances, only to discover that the contractors, ******3******\n       ********3********, were not qualified and had to be replaced.\n   \xef\x82\xb7   Due to miscommunication between the SPIIDE Project team and the Office of Privacy,\n       Governmental Liaison, and Disclosure (PGLD), a live data waiver, a requirement for\n       testing when using real taxpayer data, was allowed to expire, which delayed further\n       testing of the DLP solution in February 2014. Operating without a live data waiver\n       violated IRS policy. Internal Revenue Manual (IRM) 10.8.8.1, Live Data Protection,\n       requires that the use of live data is prohibited without approval from the PGLD office.\n       This provision applies to all offices, business, operating, and functional units within the\n       IRS, and is to be applied when live data are used to accomplish the IRS\xe2\x80\x99s mission. This\n       manual also applies to individuals and organizations having contractual arrangements\n       with the IRS, including employees, contractors, vendors, and outsourcing providers that\n       use or operate information technology systems containing IRS live data.\n   \xef\x82\xb7   In September 2013, the IRS hired an executive in its Cybersecurity office with experience\n       in implementing the DLP solution. Among his responsibilities for the SPIIDE Project is\n       to help provide guidance for its development and implementation efforts. The executive\n       offered some insight into why the SPIIDE Project encountered and continues to\n       encounter delays. For example, the responsibility for the expected data output should lie\n       with the business owners rather than the SPIIDE Project team, and the processes, roles,\n       and responsibilities that are now being developed should have been in place earlier.\n   \xef\x82\xb7   Efforts to involve the Union should have begun earlier to negotiate the process for\n       addressing employees involved with outbound unencrypted e-mails. The process can be\n       laborious and involve bargaining experts who represent the Union as well as IRS\n       management and attorneys.\nTo provide perspective regarding the length of time used to implement the DLP solution, we\nidentified and contacted two other Government agencies, the U.S. Postal Service and the\nDepartment of State, that have implemented the solution. They shared with us that they were\nable to implement their DLP solution through a \xe2\x80\x9cplug and play,\xe2\x80\x9d rather than building a system\nenvironment, in approximately six and 24 months, respectively. The IRS\xe2\x80\x99s response to the other\nGovernment agencies \xe2\x80\x9cplug and play\xe2\x80\x9d was that it was not a viable option. Officials shared with\nus that they have tax systems that could/would most likely be negatively affected if drivers were\nautomatically installed by \xe2\x80\x9cplug and play\xe2\x80\x9d software. While both agencies implemented the DIM\nfirst, the U.S. Postal Service was able to start blocking e-mails within three months after\nimplementation and has subsequently implemented the DAR component. Both agencies initially\nidentified SSNs in their search criteria; however, the U.S. Postal Service includes credit card\nnumbers and threatening words. We shared our observations of the other agencies with the\nSPIIDE Project team.\n\n\n\n                                                                                             Page 5\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\nThe designed capabilities of the DLP solution can be improved\nWhen the IRS\xe2\x80\x99s DLP solution is implemented, it will not be as robust in its capabilities as the\nsolution can provide, especially when identifying more SSNs that could exit the IRS network\nundetected. Specifically, the SPIIDE Project team included policies in the DLP solution to\nidentify PII using only SSNs, based on a specific pattern, and only in association with key words\nor phrases (i.e., Social Security Number, SSN, SS#) in unencrypted outbound e-mails. However,\nwe determined the IRS could add another common term, Taxpayer Identification Numbers\n(TIN), independently or in association with SSNs, to further enhance the DLP solution\ncapabilities.\nWe conducted research of TIGTA\xe2\x80\x99s Data Center Warehouse, which receives selected downloads\nof IRS computer data, and identified four major IRS databases4 that use the heading \xe2\x80\x9cTIN\xe2\x80\x9d as a\nkey word in identifying taxpayer SSNs. During the audit, we conducted an independent testing\nof the DLP solution to determine whether the DLP solution is capable of identifying unencrypted\ne-mails containing PII. We designed 43 e-mails containing TIN as the key word. The DLP\nsolution did not identify any of the e-mails because policies were not created to identify that\nkey word.\nIn addition, during the independent testing, we created 32 e-mails that met the narrow policy\ncriteria currently used by the DLP solution. These e-mails contained the ADOBE portable\ndocument format, jpeg, Excel, and Word documents with the key word SSN and a nine-digit\nnumber separated by hyphens, periods, no spaces, and spaces as separators. The DLP solution\ncorrectly identified 28 (88 percent) of the 32 e-mails. However, for the remaining four e-mails,\nthe DLP solution failed to identify the SSNs in Excel documents because the key word \xe2\x80\x9cSSN\xe2\x80\x9d\nwas placed in comment boxes in the spreadsheets rather than inside the cells.\nWe discussed the four exceptions with the SPIIDE Project team, and they stated that the DLP\nsolution version 11.6 the IRS purchased could not detect embedded comments in Microsoft\nOffice 2007 files. They further stated that the Symantec vendor corrected the issue in version 12.\nThe SPIIDE Project team plans to upgrade to version 12 after full deployment, if funding is\navailable. The upgrade will need to be discussed with the Enterprise Life Cycle Project\nManagement Office because it may be considered a major system change, which will require the\nSPIIDE Project team to coordinate work with the IRS\xe2\x80\x99s Enterprise Operations function, rework\nenterprise life cycle and other project documentation, and perform additional testing and all other\nmaintenance release tasks.\nGuidelines and recommendations as well as other factors, such as impact and dependency for\nother systems, also needed to be considered when implementing a DLP solution. The National\nInstitute for Standards and Technology Special Publication 800-122, Guide to Protecting the\n\n4\n The four IRS databases were the Integrated Data Retrieval System, the Integrated Collection System, the\nAutomated Collection System, and the Examination Returns Control System. These computer systems are capable\nof retrieving, updating, or providing employees with access to stored taxpayer information.\n                                                                                                     Page 6\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\nConfidentiality of Personally Identifiable Information,5 recommends that agencies implement\nautomated tools, such as a network data leakage prevention tool, to monitor transfers of PII and\nto monitor inbound and outbound communications for unauthorized activities. In addition, the\nGovernment Accountability Office\xe2\x80\x99s Standards for Internal Control in the Federal Government 6\nprovides that application controls should be designed to help ensure completeness, accuracy,\nauthorization, and validity of all transactions during application processing. Controls should be\ninstalled as an application interfaces with other systems to ensure that all inputs are received and\nare valid and that outputs are correct and properly distributed.\nThe IRS is developing a partial DLP solution to identify potential disclosures of PII associated\nwith the key word \xe2\x80\x9cSSN\xe2\x80\x9d in its outbound unencrypted e-mails. Without a more robust DLP\nsolution in place, the IRS lessens its ability to effectively and accurately discover or prevent PII\ndata leakage, maintain confidentiality of data, ensure public trust of conducting business\nelectronically, and prevent disclosure and loss of information. However, once implemented, the\nIRS plans to add additional polices to the DIM that will identify passwords, credit card numbers,\nand bank account numbers.\n\nDLP solution budget and expense figures could not be supported\nThe IRS could not provide support to validate that the SPIIDE Project spent more than\n$9.6 million of its budgeted $11.4 million through Fiscal Year 2014 to implement the\nDLP solution. As part of our review, we requested from the Information Technology Financial\nManagement Services copies of all contracts and payment invoices, including dollar amounts\nreported on the Integrated Financial System (IFS) and Integrated Procurement System (IPS),\nassociated with the SPIIDE Project. The IRS took approximately three months to provide\n18 contracts and 118 invoices related to the project. This effort to provide supporting\ndocumentation and clarification involved several IRS organizations including the SPIIDE\nProject, Information Technology Financial Management Services, Chief Financial Officer, and\nProcurement offices.\nWe attempted to reconcile the budget and invoice expense totals by contract to the dollar\namounts reported on the IFS and the IPS. We planned to conduct further analyses on any\ndifferences between the two amounts, if any were identified. However, due to the complexity\nand age of some of the contracts, e.g., multiple projects under one contract dating back to 2006,\nand the obstacles encountered in obtaining and reconciling the budget and invoice expense\namounts, we eventually opted to review one contract, totaling more than $3.5 million, in-depth\nuntil we were able to identify a process to quickly resolve the differences in the dollar amounts.\n\n\n\n5\n  National Institute of Standards and Technology, NIST SP 800-122, Guide to Protecting the Confidentiality of\nPersonally Identifiable Information (PII) (April 2010).\n6\n  Government Accountability Office (formerly known as the General Accounting Office), GAO/AIMD-00-21.3.1,\nInternal Control: Standards for Internal Control in the Federal Government (Nov. 1999).\n                                                                                                       Page 7\n\x0c                  While the Data Loss Prevention Solution Is Being Developed,\n                         Stronger Oversight and Process Enhancements\n                     Are Needed for Timely Implementation Within Budget\n\n\nFor two months, we made repeated requests to resolve differences in the budgeted and expense\namounts, which to date remain unresolved.\nBased upon the limited scope of our review, we identified the following issues that were in\nmultiple contracts and in the single contract reviewed. Contracts and invoices provided were not\nalways associated with the SPIIDE Project and DLP solution. The IRS provided invoices that\nwere not related to the DLP solution but instead were related to a different project. In contrast, it\ndid not provide at least one contract and potentially other invoices associated with the SPIIDE\nProject. During our preliminary review to reconcile the budget and invoice expense totals, we\nlocated an invoice identified as a DLP solution expense, along with the contract number, but this\ncontract was not one of the 18 contracts initially provided to us. Moreover, some of our\ncalculated expense totals did not match the expense totals reported in the IFS, with differences\nranging from $1,200 to more than $3.3 million, indicating the potential for unaccounted invoice\nexpenses. Budget and invoice calculated expense totals did not reconcile to figures reported in\nthe IFS and the IPS. We selected one contract for an in-depth review, and our results included\nthe following:\n   \xef\x82\xb7   From four line items in the contract, we calculated $1,105,392.06 was budgeted for the\n       SPIIDE Project. However, the amount for the same contract as reported in the IFS was\n       $795,392, and in the IPS, it was $871,670.78. The difference between our amount and\n       the IFS figure is due to one line item that was not included in the IFS. IRS personnel\n       stated the line item in question should not be included in the total budget because it was\n       not charged to the SPIIDE Project, despite the line item being clearly marked as such. In\n       addition, we identified one invoice related to the SPIIDE Project that was charged to the\n       line item that should not have been included.\n       In the IPS, there were four budgeted amounts, but none matched the line item amounts in\n       the contract we reviewed. IRS personnel stated it was possible that there were remaining\n       funds never spent and later de-obligated. They stated it is a common practice to leave a\n       small amount of funds on each line item just in case new expenses come in. IRS\n       personnel never confirmed whether the funds were de-obligated and whether the\n       de-obligated funds accounted for the differences between the IPS amounts and the\n       contract amounts.\n   \xef\x82\xb7   Invoice amounts did not match payment amounts in the IFS. For example, an invoice for\n       $22,595.61 was recorded in the IFS as $18,919.03 and was paid as $18,950.56. The\n       invoice indicated that the payment was short $3,676.58, which is the difference in the\n       invoice amount recorded in the IFS. However, there is no explanation in the IFS of why\n       a different amount was actually paid. In another example, an invoice for $45,950.35 was\n       recorded in the IFS for the same amount but $46,016.29 was paid. Although the\n       difference was small, there was no explanation in the IFS for the change.\n   \xef\x82\xb7   Fees billed on invoices for the SPIIDE Project and other information technology projects\n       were not proportionately allocated and charged in the IFS. For example, an invoice billed\n                                                                                              Page 8\n\x0c                     While the Data Loss Prevention Solution Is Being Developed,\n                            Stronger Oversight and Process Enhancements\n                        Are Needed for Timely Implementation Within Budget\n\n\n         for the SPIIDE Project and another project totaled $54,149.32, which included a\n         7.75 percent fee of $3,894.74. The subtotal including the fee for the SPIIDE Project\n         should have been $29,301.84 but was recorded in the IFS as $29,141.66. The fee was\n         also not correctly applied for the other project\xe2\x80\x99s expense. We observed similar concerns\n         in 13 other invoices for which amounts in the IFS showed fees were misapplied for\n         approximately $340.\n    \xef\x82\xb7    Other documents provided as support for invoice amounts were not useful, but the\n         invoices were paid. For example, one invoice for $140,112.96 was paid, but the\n         supporting documents attached to the invoice only supported $45,293.23. We inquired\n         about the additional documentation but did not receive it. Also, in our preliminary\n         review of all invoices, we identified numerous instances in which supporting\n         documentation was lacking, such as timesheets to support the number of hours billed for\n         each contractor.\nWhile the dollar discrepancies above may be comparatively small, the results are for one of at\nleast 19 contracts.7 If similar results are found in other contracts, collectively, they could have a\nmaterial effect on the budget and spending for the SPIIDE Project.\nSpecific requirements in IRM 1.35.3, Receipt and Acceptance Guidelines, provide that Federal\nagencies must adhere to 31 United States Code 3512, Executive Agency Accounting and Other\nFinancial Management Reports and Plans, which requires agencies to establish and maintain\nsystems of accounting and internal control to provide reliable accounting of the agency\xe2\x80\x99s\nactivities. The systems must provide reasonable assurance that transactions are properly\nrecorded and accounted for and are in compliance with laws and regulations. The accurate and\ntimely recording of both receipt and acceptance is critical in assuring that the IRS\xe2\x80\x99s financial\nstatements are materially correct. The IRM further requires the office that physically receives or\naccepts the goods or services must have and maintain documentation that supports recording the\nappropriate accounting entry. An invoice by itself is not sufficient documentation to support\nreceipt or acceptance by the business unit.\nDuring our discussions on the budget and expenses, IRS personnel could not explain the\ndifferences in the figures reported in the IFS and the IPS. ********3*********\n**************************************3***************************************\n**************************************3***************************************\n***. The contracting officer\xe2\x80\x99s representative stated that there were four contracting officer\xe2\x80\x99s\nrepresentatives who made entries to the contract because of employee turnover in business units\nthat resulted from transfers and retirements. The contracting officer\xe2\x80\x99s representative further\nstated that the IPS does not have controls in place to restrict system access and that any\ncontracting officer\xe2\x80\x99s representative can access any contracts to make a journal entry and make\n\n\n7\n  The 19 contracts are the 18 that the IRS provided to us and the one contract we identified during our attempt to\nreconcile the budget and invoice expense totals.\n                                                                                                              Page 9\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\n                                           payments. In addition, the IPS does not have checks\n                                           and balances to ensure that inputs are properly\n                                           charged to the correct program, especially in\n                                           contracts for multiple projects.\n                                           Because the DLP solution budget and expenses were\n                                           not supported and accurately calculated in the\n                                           contract we reviewed, the IRS is exposed to\n                                           potentially spending more than what was budgeted\n                                           for the SPIIDE Project.\nManagement actions: After the completion of our fieldwork and in discussions with executive\nmanagement, the IRS stated that other internal management controls are in place to ensure that\ninvoices are properly expensed and to prevent over spending. In addition, the IRS provided\nadditional support and explanation on some of the issues previously identified; however, TIGTA\ndid not have sufficient time to review the information in-depth for issuance of this report.\n\nStakeholder involvement was not clearly documented and maintained\nThe SPIIDE Project team could not provide sufficient documentation to support stakeholders\xe2\x80\x99\ninvolvement in the development to implement the DLP solution. IRM 2.16.1.2.2.5.1, Milestone\nReadiness Reviews, requires the assurance that stakeholders and process owners participated in\nthe development of a system. This can be supported by: 1) examining attendance lists and\nreviewer comment forms for each key deliverable, 2) resolving reviewer comments\nsatisfactorily, and 3) completing the appropriate checklists for the current phase.\nWe reviewed the minutes from the SPIIDE Project team biweekly meetings for stakeholders\xe2\x80\x99\nattendance and other key deliverables for the stakeholders\xe2\x80\x99 comments. The minutes only\ndocumented stakeholders who were invited to the meetings, rather than who attended the\nmeetings and their expressed comments. The SPIIDE Project team stated that they provided the\nminutes from the meetings to the stakeholders, who subsequently provided comments that were\nincorporated into the key deliverables. However, the SPIIDE Project team did not maintain the\noriginal comments from the stakeholders.\nWithout documented stakeholders\xe2\x80\x99 comments, no assurance exists that stakeholders verified the\nDLP solution for its completeness, correctness, and consistency in the previous milestone phases.\n\n\n\n\n                                                                                         Page 10\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\nRecommendations\nTo ensure that the SPIIDE Project meets its new DLP solution implementation date and budget\nrequirements, the Chief Technology Officer should:\nRecommendation 1: Associate fully implementing the DLP solution with meeting the\nrecommended component requirement for the Administration\xe2\x80\x99s TIC initiative when competing\nfor and securing additional funding and dedicated information technology resources.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       plans to implement the DLP DIM solution by August 2015 to the extent funding is\n       provided.\nRecommendation 2: Ensure that the SPIIDE Project team conducts a risk-based analysis on\nvolume and impact on the system by adding a new criterion to the DLP solution that includes the\nkey word \xe2\x80\x9cTIN.\xe2\x80\x9d In addition, ensure that the DLP solution is upgraded to the most current\nversion available to identify SSNs in embedded comments in the Microsoft Office 2007\napplication files, especially in the Excel spreadsheets.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SPIIDE\n       Project team plans to conduct a risk-based analysis for adding a new criterion to the DIM\n       solution for \xe2\x80\x9cTIN\xe2\x80\x9d in 2015. In addition, the IRS plans to upgrade the DLP solution plan\n       in 2016 to the extent funding is provided.\nRecommendation 3: Ensure that the SPIIDE Project team, with the assistance of the\ncontracting officer\xe2\x80\x99s representative, reconciles the DLP solution funding and expenses and\nresolves discrepancies identified during the audit.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SPIIDE\n       Project team plans to work with the contracting officer\xe2\x80\x99s representative to reconcile\n       discrepancies identified during the audit, to the extent resources are available.\n       Office of Audit Comment: IRS management\xe2\x80\x99s response specified that the SPIIDE\n       Project team will work to reconcile the discrepancies identified during the audit as its\n       corrective action; however, its implementation appears to be contingent upon the\n       availability of resources. Because we identified and reported discrepancies that ranged\n       from $1,200 to more than $3.3 million, we believe the IRS should resolve all\n       discrepancies identified during the audit to ensure accurate reporting of DLP solution\n       funding and expenses, without regard for the availability of resources.\nRecommendation 4: Coordinate with the contracting officer\xe2\x80\x99s representative and Information\nTechnology Financial Management Services to ensure that processes are in place and accounting\nentries are accurate as they pertain to the SPIIDE Project. This will assist the SPIIDE Project\nwith properly accounting for dollars spent and provide assurance that sufficient funding remains\nto implement the initial release of the DLP solution by December 2014.\n\n                                                                                         Page 11\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Information\n        Technology Financial Management Services has internal management processes in place\n        to ensure that invoices are properly expensed and to prevent over spending. Information\n        Technology Financial Management Services plans to ensure that those processes are\n        re-communicated to all applicable internal stakeholders.\n        Office of Audit Comment: IRS management\xe2\x80\x99s response addressed ensuring that\n        processes were in place; however, it did not specifically address ensuring that accounting\n        entries are accurate as they pertain to the SPIIDE Project. We reemphasize that all\n        accounting entries should be accurate to ensure proper reporting of DLP solution funding\n        and expenses in light of discrepancies identified in the audit.\nRecommendation 5: Ensure that the SPIIDE Project team clearly documents and maintains\nsufficient information of stakeholder involvement in the future as the SPIIDE Project team\ncontinues to implement the DIM and other DLP solution components.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SPIIDE\n        Project team documented stakeholder involvement with the DLP Working Group and the\n        information is stored on the SPIIDE Project SharePoint Site.\n        Office of Audit Comment: IRS management\xe2\x80\x99s response showed the corrective action\n        for this recommendation was implemented on February 24, 2014. During the audit, we\n        made repeated requests to the SPIIDE Project team for documentation of stakeholder\n        involvement, which included the DLP Working Group minutes; however, no additional\n        documentation was provided to demonstrate stakeholder involvement. As such, we are\n        concerned that the recommendation has not been sufficiently addressed.\n\nData Loss Prevention Solution Processes and Procedures Can Be\nEnhanced\nThe Symantec DLP solution generates a new potential PII disclosure event with a preset status of\n\xe2\x80\x9cNew\xe2\x80\x9d and severity of high, medium, low, or informational. The DLP Operations (Ops) team8\nreceives event alerts from the DLP solution and analyzes the event data and artifacts to\ndetermine if a PII disclosure incident or attempted disclosure occurred. The event is resolved as\na false positive or a nonincident, or it is categorized as a potential incident and referred to proper\nauthorities for further investigation. If the event is a false positive, the DLP Ops team dismisses\nit, resolves it as a false positive, and provides a reason for the type of error. If the event is a\nnonincident, the DLP Ops team resolves it as such, provides the reason (which includes personal\nuse, such as employees e-mailing their own PII to their personal e-mail addresses), and any\nnecessary comments. No additional actions are taken with the false positives and nonincidents.\n\n\n8\n The DLP Ops team is part of the SPIIDE Project team during systems development, but will be independent of the\nSPIIDE Project team after implementation.\n                                                                                                      Page 12\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\nHowever, if a potential incident is confirmed, the DLP Ops team will follow current established\nIRS processes and escalate the potential incident, based upon categorization, to the appropriate\nparties for further analysis and action as either 1) a criminal incident referral to TIGTA, 2) an\nIRS policy violation incident referral to the IRS Computer Security Incident Response Center\n(CSIRC), or 3) a broken business process to the business unit liaisons. In the event of a PII\ndisclosure, the potential incident is sent to the PGLD office. If the appropriate party disagrees\nwith the assessment, the potential incident is sent back to DLP Ops team for review until another\nparty accepts the potential incident or the DLP Ops team closes the potential incident. IRS\nemployees and managers respond to inquiries and requirements as mandated by IRS policy.\nFor the period June 2012 through December 2013, the SPIIDE Project team conducted a pilot\nand started preproduction testing of the DLP solution. This testing identified 1,903 events. To\nassess whether the IRS correctly assessed and forwarded potential disclosures of PII detected by\nthe DLP solution, we reviewed a statistically valid stratified random sample of 105 of the\n1,903 events.\n\nEvents were generally classified correctly during testing\nOur analysis of the 105 sampled events showed that the DLP Ops team correctly classified\n99 (94 percent) events as false positives, nonincidents, or potential incidents. However, for the\nremaining six (6 percent) events, the DLP Ops team classified these events incorrectly. These\nexceptions were discussed with the DLP Ops team, and they agreed with our results. The details\nfor the six are below.\n   \xef\x82\xb7   *********************************1**************************************\n       *********************************1*****************************. This\n       event should have been referred to the IRS CSIRC for further review and action. The\n       DLP Ops team stated that because this event did not contain an SSN, they ignored the\n       event and wrote a policy to ignore similar events. However, they agreed that this event\n       should have been forwarded to the IRS CSIRC or the business owner.\n   \xef\x82\xb7   Three e-mails were classified as nonincidents and were not referred to any event\n       responders. Two of the e-mails contained files with passwords to various IRS databases\n       and systems and should have been referred to the IRS CSIRC. The DLP Ops team\n       explained that at the time when these events were reviewed, they were not referring\n       events with system passwords to the IRS CSIRC, although they are referring them now.\n       The remaining e-mail was sent from the IRS website to the TIGTA Office of\n       Investigations and should have been referred to the IRS CSIRC.\n   \xef\x82\xb7   Two e-mails were classified as potential incidents that were closed as business processes\n       and forwarded to the business unit liaisons for additional review. However, the number\n       in one of the e-mails did not meet the pattern of a valid SSN. The remaining e-mail\n       contained the PII of an IRS employee who disclosed the employee\xe2\x80\x99s information, which\n       the IRS does not consider a disclosure. These two e-mails should have been classified as\n\n                                                                                         Page 13\n\x0c                  While the Data Loss Prevention Solution Is Being Developed,\n                         Stronger Oversight and Process Enhancements\n                     Are Needed for Timely Implementation Within Budget\n\n\n       false positive and nonincident, respectively. The DLP Ops team agreed that these two\n       events were misclassified as business processes.\n\nEstablished procedures did not always allow potential incidents to be forwarded\nto the PGLD office for reporting during testing\nOur further analysis of the 105 sampled events showed that the DLP Ops team appropriately\nclassified 30 events as potential incidents. For 13 (43 percent) of the 30 potential incidents, they\nwere forwarded to the required responders. The remaining 17 (57 percent) potential incidents\nwere forwarded to only one event responder based on established procedures, but should have\nalso been forwarded to and/or accepted by the PGLD office. The details of the 17 potential\nincidents and the results of our discussions with the DLP Ops team are below.\n   \xef\x82\xb7   Seven potential incidents were reported to the business unit liaisons for further review\n       and action. These involved IRS employees sending outgoing e-mails containing the\n       names and SSNs of 104 taxpayers. The DLP Ops team stated that these seven potential\n       incidents remain in the DLP inventory because the liaisons have not been trained and\n       cannot work (review and resolve) the potential incidents until Union negotiations have\n       been completed. The SPIIDE Project team anticipates training the business unit liaisons\n       by August 2014.\n   \xef\x82\xb7   Four potential incidents were referred to a DLP Ops team lead analyst for further review\n       and actions but have not been reviewed since September 11, 2013. When we asked why\n       the potential incidents have not been reviewed, the DLP Ops team shared that they plan\n       to forward them to the business unit liaisons, again, once they have been trained.\n       \xef\x82\xb7   *************************1*******************************************\n           ***************1***************. A quick search of the DLP solution system\n           identified eight additional unencrypted e-mails from this same group e-mail account.\n       \xef\x82\xb7   Three involved e-mails from IRS employees who sent unencrypted e-mails containing\n           ************************************3********************************\n           ***********************3************************.\n   \xef\x82\xb7   Three potential incidents were closed to the DLP Ops team as a business process and no\n       further actions were taken. ************1*****************\n       **********************************1*************************************\n       **********************************1*************************************\n       **********************************1*************************************\n       **********************************1*************************************\n       **********1***********.\n   \xef\x82\xb7   ********************************1***************************************\n       ********************************1***************************************\n       ***********************1***************************.\n                                                                                            Page 14\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\n    \xef\x82\xb7   ****************************1*******************************************\n        ****************************1*******************************************\n        *1**. The SPIIDE Project team stated that they reconfigured the DLP solution to ignore\n        the undeliverable e-mails from the IRS\xe2\x80\x99s postmaster server after discussing it with the\n        IRS CSIRC. We believe that while reconfiguring the DLP solution to ignore the\n        undelivered e-mails reduces the number of events for the DLP Ops team to review, it\n        does not prevent the disclosure from occurring. When an unencrypted e-mail is not\n        delivered, PII may still be disclosed when communication is made with the recipient\xe2\x80\x99s\n        e-mail server. The recipient e-mail server could potentially have captured information\n        from the body of the e-mail, despite it being undelivered to the intended recipient.\nThe seven potential incidents previously identified were referred to the PGLD office but were\nreturned to the DLP Ops team because they did not meet PGLD criteria for a disclosure. The\nPGLD\xe2\x80\x99s disclosure definition provides that:\n        An unauthorized disclosure is a situation that occurs when an IRS employee discloses\n        SBU information, including PII, to someone who is not authorized or does not have a\n        legitimate business use for that information, and has the potential for identity theft.\n        Examples of events to be sent to PGLD with the purpose of assessing the risk of ID theft\n        or other harm as required by OMB 07-16:\n        \xef\x82\xb7   Unencrypted, unblocked transmission, containing SBU/PII, sent to an unintended,\n            unauthorized recipient, or one without a legitimate business use for that information.\n        \xef\x82\xb7   Unencrypted, unblocked transmission, containing SBU/PII, and the DLP Ops team is\n            unable to determine if the recipient is unintended or unauthorized after reasonable\n            research.\nWe believe that the PGLD office should have received and/or accepted the 17 potential incidents\nbecause sending unencrypted e-mails provides an opportunity for individuals other than the\nintended recipient to have access to the enclosed PII. A PGLD executive stated that it was not\nthe PGLD office\xe2\x80\x99s current policy to treat unencrypted e-mails with PII sent to the intended\nrecipient as a disclosure, and it might need to revise its policy. In a February 2011 TIGTA\nreport,9 the issue with sending unencrypted e-mails by employees, taxpayers, and taxpayer\nrepresentatives was addressed. The report highlighted the IRS\xe2\x80\x99s internal procedures, guides, and\ntraining briefings in that they do not provide adequate guidance or instructions to employees to\nreport violations of unencrypted e-mails with SBU data from employees or taxpayers. However,\nour research identified subsequent internal guidance effective July 8, 2011,10 with a warning that\nemployees should never consider e-mail secure, and they should not include taxpayer, SBU, or\nPII information in e-mail messages or attachments unless IRS-approved encryption technology is\n\n9\n  TIGTA, Ref. No.2011-20-012, Additional Security Is Needed for the Taxpayer Secure E-mail Program p. 12\n(Feb. 2011).\n10\n   IRM 1.10.3.2.1(3) and (7), Secure Messaging and Encryption.\n                                                                                                     Page 15\n\x0c                     While the Data Loss Prevention Solution Is Being Developed,\n                            Stronger Oversight and Process Enhancements\n                        Are Needed for Timely Implementation Within Budget\n\n\nbeing used or an exception is approved by the Information Technology organization. We are not\naware of any exceptions approved by the Information Technology organization for the SPIIDE\nProject, especially when the project\xe2\x80\x99s purpose is to protect SBU data.\nBased on our findings on the 17 potential incidents, we believe that the PGLD office should have\nadvised the affected parties of the disclosure and offered credit monitoring services in 11 of the\n17 potential incidents. In the remaining six incidents, the PGLD office did not need to contact\nthe individuals because they either disclosed their own PII or may have been the subject of a tax\nor criminal review. In addition, OMB procedures and the Treasury Incident Reporting and\nGuidelines Procedures11 require the IRS to report PII disclosures to the Treasury CSIRC. We\nbelieve these 17 potential incidents should have also been reported.\nBased upon projections from our sample, we estimate that 308 of the 1,903 potential incidents\nmet the OMB PII disclosure reporting requirements and were not reported to the PGLD office\nand later to the Treasury CSIRC. In addition, we estimate that the individuals whose PII was\ndisclosed in 199 of the 308 potential incidents were not contacted and offered credit monitoring\nservices.12\n\nEmployees violated policies by providing and responding to tax information in\ne-mails during testing\nWhile we understand that the SPIIDE Project and the DLP Ops teams are working through and\nrefining the DLP solution process and procedures, we identified an additional condition that\nwarrants the DLP Ops team\xe2\x80\x99s attention as they finalize their guidelines to comply with Federal\nguidelines. We identified 11 potential incidents that involved employees providing tax account\ninformation and replying to the original e-mail that contained unencrypted PII from tax preparers\nor other Government agencies. These 11 potential incidents remain in the DLP solution\ninventory and have not been referred to the business liaisons to be worked. Although the\ninitiators of the e-mails may have been authorized to receive the information, the employees\nviolated policy by sending unencrypted e-mails with PII outside the IRS. It appears that three of\nthese 11 potential incidents were incoming e-mails sent directly to the employees from taxpayer\nrepresentatives requesting tax account information.\nEmployees should not respond to requests for tax return information that are not received\nthrough official channels, such as taxpayer walk-in offices, telephone contact, or cases assigned\nby managers. We attempted to search the DLP solution for similar incidents. However, we\ncould not easily identify any additional events, including those involving tax preparers, because\n\n11\n  Department of the Treasury Incident Reporting and Guidelines Procedures Version 4.0 June 15, 2011.\n12\n  The point estimate projection is based on a two-sided 95 percent confidence interval. We are 95 percent confident\nthat the point estimate is between 177 and 439 potential incidents that were not reported to the PGLD office and the\nTreasury CSIRC. In addition, we are 95 percent confident that the point estimate is between 90 and 308 that the\nPGLD office should have contacted the individuals affected by the unencrypted disclosures to offer them credit\nmonitoring services.\n                                                                                                          Page 16\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\nthe SPIIDE Project team did not add an attribute in the DLP solution to readily identify e-mails\nfrom tax preparers.\nThe OMB has issued specific guidance for Federal agencies to follow concerning disclosure and\nactions to be taken when suspected or confirmed breaches of PII occur. OMB M-06-19,\nReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for\nSecurity in Agency Information Technology Investments,13 requires agencies to report all\nsuspected or confirmed incidents involving PII in electronic or physical form to the\nU.S. Computer Emergency Readiness Team within one hour of discovering the incident. The\nOMB also requires the reporting of PII incidents even when there is no risk of identity theft.\nAdditionally, OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information,14 provides a framework to reduce the risks related to data breaches of\nPII. Included in this framework is the use of encryption, strong authentication procedures, and\nother security controls to make information unusable by unauthorized individuals.\nFurthermore, the IRS has specific internal requirements\nfor providing information to the public. IRM 11.3.2.6,            Taxpayers have the right to\nMethods for Communication of Confidential                      expect that any information they\nInformation, allows employees to disclose tax                    provide to the IRS will not be\ninformation to a taxpayer, his or her legal representative,     disclosed unless authorized by\nor a designated third party. However, disclosure is             the taxpayer or by law, and to\nprohibited by e-mail even if the requester asked to           expect appropriate action will be\nsubmit the tax information via e-mail. Although the            taken against employees, return\nrequester has a legal right to that information, e-mail is        preparers, and others who\nnot an approved secure method. IRM 11.3.1.14.2,                   wrongfully use or disclose\nElectronic Mail and Secure Messaging, provides that              taxpayer return information.\nemployees may not use e-mail to transmit SBU data\n(including PII) to parties outside of the IRS, including\nother Government agencies, taxpayers, or their representatives, even if specifically authorized by\nthe taxpayer, unless the employees use the IRS Secure Messaging system. In addition, IRM\n10.5.5.3, Covered Relationships and Official Channels, states that employees are not allowed\naccess to return information when the request is received through unofficial channels, such as\nrequests from individuals at social functions and nonwork environments, and requests received\nfrom close friends, relatives, neighbors, or co-workers. Lastly, the IRS recently adopted the\nTaxpayer Bill of Rights. In these provisions, taxpayers have the right of confidentiality and can\nexpect the IRS to only disclose information when authorized by the taxpayer and take\n\n\n13\n   Office of Management and Budget, OMB Memorandum M-06-19, Reporting Incidents Involving Personally\nIdentifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments\n(July 2006).\n14\n   Office of Management and Budget, OMB Memorandum M-07-16, Safeguarding Against and Responding to the\nBreach of Personally Identifiable Information (May 2007).\n                                                                                                      Page 17\n\x0c                  While the Data Loss Prevention Solution Is Being Developed,\n                         Stronger Oversight and Process Enhancements\n                     Are Needed for Timely Implementation Within Budget\n\n\nappropriate action against employees, tax return preparers, and others who wrongfully use or\ndisclose taxpayer return information.\nBreaches involving PII can receive considerable media attention, which can greatly harm the\npublic\xe2\x80\x99s trust in the IRS. Failure to report all potential incidents involving PII disclosure to the\nappropriate IRS functions in a timely manner decreases the IRS\xe2\x80\x99s ability to respond quickly and\neffectively to report potential incidents to the Treasury CSIRC and to offer remedial services,\nsuch as credit monitoring, to affected individuals. Furthermore, noncompliance or delayed\ncompliance can also result in substantial harm, embarrassment, and inconvenience to the affected\nindividuals and could lead to identity theft, blackmail, or other fraudulent use of the\ninformation. Lastly, responding to requests for tax account information received from an\nunofficial channel can give the appearance of partiality and the perception of providing\nexpedited or preferential treatment that is unavailable to the general public.\n\nThe DLP Ops team is not reporting tax preparers who violate disclosure rules\nduring testing\nThe DLP Ops team is not reporting employee outbound reply e-mails originating from tax\npreparers who included taxpayer PII in inbound unencrypted e-mails as disclosure to the Office\nof Professional Responsibility (OPR). In our sample of 105 events, we identified three events in\nwhich employees replied to e-mails from tax preparers who sent taxpayer PII requesting tax\naccount information. Although these e-mails did not originate from the IRS employees, the\ninbound e-mails still contained PII. As previously mentioned, we could not easily identify any\nadditional events involving tax preparers because the SPIIDE Project team did not add an\nattribute in the DLP solution to readily identify e-mails from tax preparers.\nThe three events should have been classified as potential incidents and referred to the business\nunit liaisons and subsequently forwarded only the potential incidents involving a tax preparer\nwho is also a licensed tax practitioner to the OPR. Tax preparers who are permitted to practice\nbefore the IRS are considered Circular 230 practitioners (hereafter referred to as licensed tax\npractitioners). The OPR can educate licensed tax practitioners of their responsibility to secure\nand protect their clients\xe2\x80\x99 tax return information and to correct their behavior of sending taxpayer\nPII by unencrypted e-mail. In addition, an executive from the OPR stated a referral to the OPR\nwould be appropriate if the business unit liaison determines that a tax preparer who sent a\nprohibited e-mail is a licensed tax practitioner, such as an attorney, certified public accountant,\n                                          or enrolled agent.\n                                       The OPR has the authority to ensure that all licensed tax\n      Unencrypted e-mails              practitioners adhere to professional standards and follow\n      containing PII can lead          the law. Licensed tax practitioners have the responsibility\n      to identity theft.               to secure and protect taxpayer PII from disclosure. They\n                                       must also abide by Internal Revenue Code Section 7216\n                                       by not recklessly, knowingly, or unknowingly disclosing\n                                       taxpayer information. The National Institute for\n                                                                                            Page 18\n\x0c                  While the Data Loss Prevention Solution Is Being Developed,\n                         Stronger Oversight and Process Enhancements\n                     Are Needed for Timely Implementation Within Budget\n\n\nStandards and Technology recommends that agencies implement automated tools to monitor\ntransfers of PII and to monitor inbound and outbound communications.\nWe presented our concerns to the SPIIDE Project team, and they stated that they were not aware\nof the OPR\xe2\x80\x99s responsibilities and that tax preparers were violating their obligations to secure and\nprotect taxpayer information. As a result, the SPIIDE Project team had not included the OPR as\nan event responder for handling these cases. The SPIIDE Project team stated that they will\nreconsider monitoring unencrypted inbound e-mail traffic after the DLP solution is initially\ndeployed and operational. In the meantime, the DLP Ops team will incorporate identifying and\nrouting such potential incidents to the appropriate event responders into current policy and\nprocedures.\nWhen faced with a security incident, an agency must be able to respond in a manner protecting\nboth its own information and helping to protect the information of others who might be affected\nby the incident. The IRS may be exposing itself to lose trust with the American public and\nexposing taxpayers to potential identity theft and fraud. Additionally, the OPR loses an\nopportunity to correct the behavior of registered tax preparers, enrolled agents, and licensed tax\npractitioners who are not protecting their clients\xe2\x80\x99 tax return information as required.\n\nRecommendations\nTo enhance the processes and procedures over the DLP solution, the Chief Technology Officer\nshould:\nRecommendation 6: Ensure that the SPIIDE Project team trains the DLP Ops team to\nforward potential incidents to the appropriate event responders and trains business unit liaisons\nto immediately start reviewing the potential incidents and then take appropriate action, when\nnecessary (after Union negotiations are completed in regard to DLP solution implementation).\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The SPIIDE\n       Project team trained the DLP Ops team to forward potential incidents to the appropriate\n       event responders and business unit liaisons to immediately start reviewing the potential\n       incidents and then take appropriate action, when necessary.\nRecommendation 7: Change the forwarding procedures to refer all unencrypted e-mails\ncontaining PII to the PGLD office first and then to the business unit liaisons to ensure that all\npotential PII disclosure incidents are timely reported to the Treasury CSIRC.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Events\n       determined to be unencrypted PII exiting IRS network protection will be reviewed by the\n       PGLD office\xe2\x80\x99s Incident Management team within the SPIIDE Project application and\n       they plan to notify Treasury CSIRC when appropriate. In addition, the SPIIDE Project\n       team plans to update the event management workflow.\n\n\n                                                                                             Page 19\n\x0c                  While the Data Loss Prevention Solution Is Being Developed,\n                         Stronger Oversight and Process Enhancements\n                     Are Needed for Timely Implementation Within Budget\n\n\nRecommendation 8: Conduct an analysis to determine whether to remove the\nreconfiguration that ignores the undeliverable e-mails to allow the DLP solution to identify these\nevents. The identification of similar e-mails will provide the IRS with an opportunity to notify\nthe affected parties of the disclosure and report it to the Treasury CSIRC.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       plans to conduct an analysis to determine whether to remove the reconfiguration that\n       ignores the undelivered e-mails in the DLP solution production system.\nRecommendation 9: Ensure that the SPIIDE Project team adds an additional attribute to\nidentify tax preparers to the advance search criteria to allow for easy identification of events\ninvolving tax preparers in outbound unencrypted e-mails containing PII.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The current\n       DLP solution does not have the ability to correctly identify tax preparers via an\n       automated search criterion. In lieu of this, a modification has been made to the DLP\n       solution reason codes to allow for event responders to classify an event involving tax\n       preparers.\nRecommendation 10: Incorporate a process to forward outbound unencrypted e-mail traffic\nwith PII from licensed tax preparers/taxpayer representatives to the OPR through the business\nunit liaisons into the current policy and procedures. After the DIM component of the DLP\nsolution is deployed and operational, conduct a risk-based analysis to determine the feasibility on\nthe monitoring and identifying of unencrypted inbound e-mail traffic with PII from these\nlicensed tax practitioners to route to the OPR.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. The\n       SPIIDE Project team plans to enhance the processes and procedures to forward outbound\n       unencrypted e-mail traffic with PII from licensed tax preparers/taxpayer representatives\n       to the OPR through the business unit liaison. The IRS disagreed with the part of the\n       recommendation regarding inbound e-mail. The requirement to implement a DLP\n       solution as defined in Treasury Directive 85-01 is to prevent the outbound transmission\n       of unencrypted information from the Treasury. This expansion to review and monitor\n       inbound e-mail traffic for unencrypted SSNs from licensed tax practitioners is not\n       currently feasible or cost effective for the IRS. For example, no source of valid e-mail\n       addresses for licensed tax practitioners currently exists.\n       Office of Audit Comment: While the IRS\xe2\x80\x99s statement regarding the Treasury\n       Directive\xe2\x80\x99s requirement is valid, we stated in the report that the National Institute for\n       Standards and Technology recommends that agencies implement automated tools to\n       monitor transfers of PII and to monitor inbound and outbound communications.\n       However, we concur with IRS management\xe2\x80\x99s rationale for not implementing the inbound\n       portion of the recommendation.\n\n\n                                                                                             Page 20\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\nRecommendation 11: Coordinate with the business units to ensure that their employees\nfollow the IRM procedures that require the use of the IRS Secure Messaging system when\nsending SBU/PII information to tax preparers, other Government agencies, and taxpayers.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       plans to redistribute an IRS-wide communication on authorized encryption procedures for\n       SBU/PII to ensure that employees follow the IRM procedures.\nWe also recommend that the Director, Privacy, Governmental Liaison, and Disclosure, should:\nRecommendation 12: Revise the disclosure acceptance criteria to ensure that all potential PII\ndisclosure incidents are reported to the Treasury CSIRC within the required time period and that\naffected parties are timely notified.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation. The\n       acceptance criteria used by the PGLD office\xe2\x80\x99s Incident Management team adheres to\n       OMB and National Institute of Standards and Technology requirements for the reporting\n       of inadvertent disclosures. The PGLD office\xe2\x80\x99s Incident Management team will review\n       SPIIDE Project-identified events in conjunction with the business liaisons and the DLP\n       Ops team and report appropriate items to the Treasury CSIRC. When applicable, a risk\n       assessment will be performed and potentially affected individuals notified in accordance\n       with existing direction.\n       Office of Audit Comment: IRS management disagreed with our recommendation\n       because they believe the PGLD office\xe2\x80\x99s acceptance criteria adhered to existing Federal\n       Government guidance. We contend that the acceptance criteria did not address the\n       exceptions identified during our audit. Specifically, we found employees responding\n       with tax information in unencrypted e-mails. During the audit, the PGLD office stated\n       that its office\xe2\x80\x99s current policy was not to treat unencrypted e-mails with PII sent to the\n       intended recipient as a disclosure. However, as we reported, IRS policy, which has been\n       in effect since March 7, 2008, prohibits communicating confidential information using\n       e-mail other than through the Secure Messaging system. As such, the use of unencrypted\n       e-mails outside of the IRS violates policy and should be included in the acceptance\n       criteria so that the PGLD office can evaluate any possible actual disclosures due to the\n       possible interception of unencrypted e-mails.\n\n\n\n\n                                                                                         Page 21\n\x0c                     While the Data Loss Prevention Solution Is Being Developed,\n                            Stronger Oversight and Process Enhancements\n                        Are Needed for Timely Implementation Within Budget\n\n\n                                                                                                   Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the SPIIDE Project is developing\na data loss prevention and protection solution for implementation in accordance with applicable\npolicies and procedures and within budget to safeguard sensitive data. To accomplish our\nobjective, we:\nI.       Determined whether the development of the SPIIDE Project properly followed\n         commercial off-the-shelf enterprise life cycle1 procedures in accordance with Treasury,\n         OMB, IRM, and other applicable guidelines.\n         A. Determined whether the SPIIDE Project completed required key deliverables through\n            the current milestone. In addition, we reviewed OMB and Treasury guidance to\n            determine the requirements for the IRS to develop and implement a breach\n            notification policy, to eliminate or reduce the unnecessary use of SSNs, and to\n            implement additional controls in the cybersecurity environment.\n         B. Determined whether system security controls have been considered and planned in\n            the design of the SPIIDE Project.\n             1. Determined whether security issues and risks were identified, tracked, and being\n                addressed from project inception.\n             2. Selected a statistically valid random sample of the SPIIDE Project\xe2\x80\x99s limited\n                testing results2 to determine if the IRS took appropriate actions to report the\n                potential breaches. We used a 95 percent confidence level, an 8 percent expected\n                error rate, and a \xc2\xb1 7 percent precision level. We took a statistically valid random\n                sample because we wanted to project the number of events not reported properly\n                over the population of all 1,903 events identified from June 2012 through\n                December 2013.\n             3. Used TIGTA\xe2\x80\x99s contracted statistician to review the sampling plan and to develop\n                projections.\n             4. Conducted independent testing of the DLP solution to determine whether the\n                system is capable of identifying unencrypted e-mails containing PII.\n         C. Determined the frequency of stakeholders\xe2\x80\x99 involvement in the SPIIDE Project.\n\n1\n See Appendix V for a glossary of terms.\n2\n We used the limited testing results and determined the accuracy of the DLP solution capabilities for identifying\nPII, which are included in this report.\n                                                                                                           Page 22\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\nII.    Determined whether the SPIIDE Project is effectively and efficiently managing funds\n       allocated for the implementation of the Symantec DLP solution by obtaining total cost,\n       from inception to date, by category for the SPIIDE Project from the project manager or\n       other responsible IRS officials.\nIII.   Determined the U.S. Department of State and U.S. Postal Service\xe2\x80\x99s experience with the\n       development and cost of implementing the Symantec DLP solution to identify best\n       practices to share with the IRS\xe2\x80\x99s SPIIDE Project team.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: Treasury Directives, and OMB,\nIRM, and National Institute for Standards and Technology guidelines for implementing an\nautomatic tool to monitor transfers of PII and for developing a commercial off-the-shelf product.\nWe evaluated these controls by interviewing Treasury, U.S. Department of State, and U.S. Postal\nService officials; IRS procurement and budget personnel; the SPIIDE Project team; and an\nenterprise life cycle coach, and by reviewing enterprise life cycle commercial off-the-shelf\nartifacts and documents supporting the procurement, budget, and expenses for the DLP solution.\n\n\n\n\n                                                                                         Page 23\n\x0c                 While the Data Loss Prevention Solution Is Being Developed,\n                        Stronger Oversight and Process Enhancements\n                    Are Needed for Timely Implementation Within Budget\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nDeborah Smallwood, Audit Manager\nCindy Harris, Lead Auditor\nCari Fogle, Senior Auditor\nLouis Lee, Senior Auditor\n\n\n\n\n                                                                                     Page 24\n\x0c                While the Data Loss Prevention Solution Is Being Developed,\n                       Stronger Oversight and Process Enhancements\n                   Are Needed for Timely Implementation Within Budget\n\n\n                                                                      Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Financial Officer OS:CFO\nDirector, Office of Professional Responsibility SE:OPR\nDirector, Privacy, Governmental Liaison, and Disclosure OS:P\nDirector, Risk Management Division OS:CTO:SP:RM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluations and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Financial Officer OS:CFO\n       Chief Technology Officer OS:CTO\n       Director, Office of Professional Responsibility SE:OPR\n       Director, Privacy, Governmental Liaison, and Disclosure OS:P\n\n\n\n\n                                                                            Page 25\n\x0c                     While the Data Loss Prevention Solution Is Being Developed,\n                            Stronger Oversight and Process Enhancements\n                        Are Needed for Timely Implementation Within Budget\n\n\n                                                                                              Appendix IV\n\n                                     Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective action will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Taxpayer Privacy and Security \xe2\x80\x93 Potential; 308 potential incidents1 of PII and tax account\n    disclosures (see page 12).\n\nMethodology Used to Measure the Reported Benefit:\nWe selected and reviewed a statistically valid random sample of 105 events identified by the\nDLP solution system. We selected the sample from the population of 1,903 events that were\nidentified during the period of June 1, 2012, through December 31, 2013. We used a confidence\nlevel of 95 percent, a precision level of \xc2\xb1 7 percent, and an expected error rate of 8 percent to\nselect the sample.\nOur results showed that 17 (16.19 percent) of 105 events were not forwarded to all of the\nrequired responders. These 17 events, which are potential incidents, should have been forwarded\nto and/or accepted by the PGLD office as PII disclosures. In addition to reporting the potential\nincidents to the PGLD office, the 17 potential incidents should have been reported to the\nTreasury CSIRC as PII disclosures as required by OMB procedures. Furthermore, the PGLD\noffice should have advised the affected parties of the disclosure and offered credit monitoring\nservices in 11 of the 17 potential incidents.\nWe project2 that an estimated 308 potential incidents that met the OMB PII disclosure reporting\nrequirements were not reported to the PGLD office and later to the Treasury CSIRC. In addition,\nwe project that the individuals whose PII was disclosed in 199 of the 308 potential incidents\nwere not contacted and offered credit monitoring service.\n\n\n\n\n1\n See Appendix V for a glossary of terms.\n2\n The point estimate is based on a two-sided 95 percent confidence interval. We are 95 percent confident the point\nestimate is between 177 and 439 potential incidents that were not reported to the PGLD office and the Treasury\nCSIRC. In addition, the point estimate is between 90 and 308 potential incidents that the PGLD office should have\ncontacted the individuals affected by the unencrypted disclosures and offered them credit monitoring services.\n\n                                                                                                         Page 26\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\n                                                                                  Appendix V\n\n                               Glossary of Terms\n\n             Term                                         Definition\nBaseline                     A baseline consists of a specified set of documents, software, and\n                             other items defined as final (or point-in-time) products for a\n                             project. A baseline establishes a predefined point from which to\n                             evaluate project progress.\nBusiness Unit                A title for major IRS organizations such as Appeals, Wage and\n                             Investment, the OPR, and Information Technology.\nCircular 230 Practitioner    Any individual described as an attorney, certified public\n                             accountant, enrolled agent, enrolled actuary, enrolled retirement\n                             plan agent, and registered tax return preparer that is permitted to\n                             practice before the IRS. The IRS OPR is responsible for all\n                             matters related to practitioner conduct, discipline, and practice\n                             before the IRS under 31 Code of Federal Regulations part 10\n                             (Circular 230).\nClear Text                   Information that is not encrypted.\nCompact Disk                 A compact disk is a small, portable, round medium made of\n                             molded polymer for electronically recording, storing, and playing\n                             back audio, video, text, and other information in digital form.\nComputer Security Incident A group of individuals usually consisting of security analysts\nResponse Center            organized to develop, recommend, and coordinate immediate\n                           mitigation actions for containment, eradication, and recovery\n                           resulting from computer security incidents.\nCustomer Account Data        The Customer Account Data Engine 2 leverages existing IRS\nEngine 2                     systems and components to perform functions related to accessing\n                             and updating taxpayer account data, managing cases, and resolving\n                             account issues. It will implement a single system that uses a\n                             relational database to process accounts on a daily basis.\nData Center Warehouse        A collection of IRS databases containing various types of taxpayer\n                             account information that is maintained by TIGTA for the purpose\n                             of analyzing data for ongoing audits.\n\n\n                                                                                          Page 27\n\x0c                    While the Data Loss Prevention Solution Is Being Developed,\n                           Stronger Oversight and Process Enhancements\n                       Are Needed for Timely Implementation Within Budget\n\n\n             Term                                          Definition\nDefault Administrator        A default administrator account is a user account already created\nAccount                      on the operating system (by default) that allows the administrator\n                             to make changes that will affect other users. Administrators can\n                             change security settings, install software and hardware, access all\n                             files on the computer, and make changes to other user accounts.\nDevelopment, Integration,    A controlled environment used to create, modify, integrate, and\nand Test Environment         test configuration items, information technology services,\n                             applications, releases, processes, etc.\nDisclosure                   The making known to any person, in any manner, a return or\n                             return information.\nDriver                       A driver is a program that interacts with a particular device or\n                             special kind of software. The driver contains the special\n                             knowledge of the device or special software interface that\n                             programs using the driver do not.\nEncryption                   The process of converting plain text to cipher text by means of a\n                             cryptographic system.\nEnterprise Life Cycle        The enterprise life cycle establishes a set of repeatable processes\n                             and a system of reviews, checkpoints, and milestones that reduce\n                             the risks of system development and ensure alignment with the\n                             overall business strategy.\nFalse Positive               A false positive is a test result which incorrectly indicates that a\n                             particular condition or attribute is present. For example, a\n                             nine-digit ZIP code could be misconstrued as an SSN.\nFiling Season                The period from January through mid-April when most individual\n                             income tax returns are filed.\nFinancial Management         An Office that supports IRS Information Technology by\nService                      formulating and executing budgets, preparing clear financial\n                             policy, and providing financial services to the Associate Chief\n                             Information Officers. In addition, it serves as the link to the Chief\n                             Financial Officer and represents Information Technology\xe2\x80\x99s\n                             funding needs to Corporate IRS.\n\n\n\n\n                                                                                            Page 28\n\x0c                   While the Data Loss Prevention Solution Is Being Developed,\n                          Stronger Oversight and Process Enhancements\n                      Are Needed for Timely Implementation Within Budget\n\n\n            Term                                         Definition\nIncident                    An incident is an occurrence that actually or potentially\n                            jeopardizes the confidentiality, integrity, or availability of an\n                            information system or the information the system processes,\n                            stores, or transmits. Also, an incident could constitute a violation\n                            or imminent threat of violation of security policies, security\n                            procedures, or acceptable use policies.\nIntegrated Financial        An administrative accounting system used by the IRS.\nSystem\nIntegrated Procurement      A program that tracks all incoming commitment requests and\nSystem                      captures the information necessary to process acquisition actions\n                            including purchase orders, delivery orders, task orders, contract\n                            awards, interagency agreements, and associated modifications.\nLive Data Waiver            The IRS prohibits the use of live data without approval from the\n                            Office of Privacy, Information Protection, and Data Security. Live\n                            data shall be used only when other alternatives, such as sanitized\n                            live data or synthetic data, cannot be used to complete a business\n                            process or other assigned official duties, and live data waiver must\n                            be prepared for such use.\nMilestone                   Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project and\n                            are sometimes associated with funding approval to proceed.\nNational Institute for      Founded in 1901, the National Institute for Standards and\nStandards and Technology    Technology is a nonregulatory Federal agency within the U.S.\n                            Department of Commerce. Its mission is to promote U.S.\n                            innovation and industrial competitiveness by advancing\n                            measurement science, standards, and technology in ways that\n                            enhance economic security and improve our quality of life.\nPermissions                 A system administrator defines for the system which users are\n                            allowed access to the system and what privileges of use, such as\n                            access to which file directories, hours of access, and amount of\n                            allocated storage space.\n\n\n\n\n                                                                                         Page 29\n\x0c                   While the Data Loss Prevention Solution Is Being Developed,\n                          Stronger Oversight and Process Enhancements\n                      Are Needed for Timely Implementation Within Budget\n\n\n            Term                                          Definition\nPlug and Play                Plug and play is a phrase used to describe devices that work with a\n                             computer system as soon as they are connected. The user does not\n                             have to manually install drivers for the device or even tell the\n                             computer that a new device has been added. Instead, the computer\n                             automatically recognizes the device, loads new drivers for the\n                             hardware (if needed), and begins to work with the newly\n                             connected device.\nPrivilege                    A right granted to an individual, a program, or a process.\nSensitive But Unclassified   Any information that requires protection due to the risk and\n                             magnitude of loss or harm to the IRS or the privacy to which\n                             individuals are entitled under 5 United States Code Section 552a\n                             (the Privacy Act), which could result from inadvertent or\n                             deliberate disclosure, alteration, or destruction.\nSeparation of Duties         Key duties and responsibilities need to be divided or segregated\n                             among different people to reduce the risk of error or fraud.\nSharePoint Site              A platform from Microsoft that is used to create intranets (internal\n                             websites) for team collaboration, blogs, wikis, and company news.\n                             It is also commonly deployed to extend certain information to\n                             customers via password-protected websites.\nSubject Matter Expert        A subject matter expert is an individual who understands a\n                             business process or area well enough to answer questions from\n                             people in other groups who are trying to help. It is most\n                             commonly used to describe the people who explain the current\n                             process to information technology and then answer their questions\n                             as they try to build a technology system to automate or streamline\n                             the process.\nTaxpayer Bill of Rights      The Taxpayer Bill of Rights takes the multiple existing rights\n                             embedded in the tax code and groups them into 10 broad\n                             categories that include the Right to Be Informed and the Right to\n                             Privacy.\nThumb Drive                  An external hard disk drive or optical disk drive that plugs into the\n                             universal serial bus port.\n\n\n\n\n                                                                                          Page 30\n\x0c                   While the Data Loss Prevention Solution Is Being Developed,\n                          Stronger Oversight and Process Enhancements\n                      Are Needed for Timely Implementation Within Budget\n\n\n          Term                                           Definition\nTrusted Internet            The primary goals of the TIC initiative are to consolidate and\nConnection                  secure Federal agency external connections using a common set of\n                            security controls and to improve the Federal Government\xe2\x80\x99s\n                            incident response capability. To achieve these goals, the initiative\n                            has the objectives to 1) reduce and consolidate external\n                            connections, including connections to the Internet, across the\n                            Federal Government; 2) define and maintain baseline security\n                            capabilities at TIC access points; and 3) establish a compliance\n                            program to monitor agency adherence to TIC policy.\nUser Seat License           Licensed software on a server may only be accessed by those who\n                            have been granted a seat, also referred to as a seat license. Those\n                            with a seat license are identified in the system directory; only they\n                            can access the protected software. Thus, each user computer is\n                            considered a seat.\n\n\n\n\n                                                                                         Page 31\n\x0c    While the Data Loss Prevention Solution Is Being Developed,\n           Stronger Oversight and Process Enhancements\n       Are Needed for Timely Implementation Within Budget\n\n\n                                                    Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 32\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 33\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 34\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 35\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 36\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 37\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 38\n\x0cWhile the Data Loss Prevention Solution Is Being Developed,\n       Stronger Oversight and Process Enhancements\n   Are Needed for Timely Implementation Within Budget\n\n\n\n\n                                                       Page 39\n\x0c'